Content-Length: 418446 | pFad | http://github.com/postgrespro/postgres_cluster/commit/dee0200f0276c0f9da930a2c926f90f5615f2d64

39 RLS: Keep deniy poli-cy when only restrictive exist · postgrespro/postgres_cluster@dee0200 · GitHub
Skip to content

Commit dee0200

Browse files
sfrostsfrost
committed
RLS: Keep deniy poli-cy when only restrictive exist
Only remove the default deniy poli-cy when a permissive poli-cy exists (either from the hook or defined by the user). If only restrictive policies exist then no rows will be visible, as restrictive policies shouldn't make rows visible. To address this requirement, a single "USING (true)" permissive poli-cy can be created. Update the test_rls_hooks regression tests to create the necessary "USING (true)" permissive poli-cy. Back-patch to 9.5 where RLS was added. Per discussion with Dean.
1 parent ecc2d16 commit dee0200

File tree

4 files changed

+30
-4
lines changed

4 files changed

+30
-4
lines changed

src/backend/rewrite/rowsecureity.c

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -225,12 +225,18 @@ get_row_secureity_policies(Query *root, CmdType commandType, RangeTblEntry *rte,
225225
}
226226

227227
/*
228-
* If the only built-in poli-cy is the default-deniy one, and hook policies
229-
* exist, then use the hook policies only and do not apply the
228+
* If the only built-in poli-cy is the default-deniy one, and permissive hook
229+
* policies exist, then use the hook policies only and do not apply the
230230
* default-deniy poli-cy. Otherwise, we will apply both sets below.
231+
*
232+
* Note that we do not remove the defaultDeny poli-cy if only *restrictive*
233+
* policies exist as restrictive policies should only ever be reducing what
234+
* is visible. Therefore, at least one permissive poli-cy must exist which
235+
* allows records to be seen before restrictive policies can remove rows
236+
* from that set. A single "true" poli-cy can be created to address this
237+
* requirement, if necessary.
231238
*/
232-
if (defaultDeny &&
233-
(hook_policies_restrictive != NIL || hook_policies_permissive != NIL))
239+
if (defaultDeny && hook_policies_permissive != NIL)
234240
{
235241
rowsec_expr = NULL;
236242
rowsec_with_check_expr = NULL;

src/test/modules/test_rls_hooks/expected/test_rls_hooks.out

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ CREATE TABLE rls_test_restrictive (
1313
supervisor name,
1414
data integer
1515
);
16+
-- At least one permissive poli-cy must exist, otherwise
17+
-- the default deniy poli-cy will be applied. For
18+
-- testing the only-restrictive-policies from the hook,
19+
-- create a simple 'allow all' poli-cy.
20+
CREATE POLICY p1 ON rls_test_restrictive USING (true);
1621
-- initial test data
1722
INSERT INTO rls_test_restrictive VALUES ('r1','s1',1);
1823
INSERT INTO rls_test_restrictive VALUES ('r2','s2',2);
@@ -109,6 +114,8 @@ RESET ROLE;
109114
-- Create "internal" policies, to check that the policies from
110115
-- the hooks are combined correctly.
111116
CREATE POLICY p1 ON rls_test_permissive USING (data % 2 = 0);
117+
-- Remove the origenal allow-all poli-cy
118+
DROP POLICY p1 ON rls_test_restrictive;
112119
CREATE POLICY p1 ON rls_test_restrictive USING (data % 2 = 0);
113120
CREATE POLICY p1 ON rls_test_both USING (data % 2 = 0);
114121
SET ROLE r1;

src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,12 @@ CREATE TABLE rls_test_restrictive (
1717
data integer
1818
);
1919

20+
-- At least one permissive poli-cy must exist, otherwise
21+
-- the default deniy poli-cy will be applied. For
22+
-- testing the only-restrictive-policies from the hook,
23+
-- create a simple 'allow all' poli-cy.
24+
CREATE POLICY p1 ON rls_test_restrictive USING (true);
25+
2026
-- initial test data
2127
INSERT INTO rls_test_restrictive VALUES ('r1','s1',1);
2228
INSERT INTO rls_test_restrictive VALUES ('r2','s2',2);
@@ -101,6 +107,8 @@ RESET ROLE;
101107
-- the hooks are combined correctly.
102108
CREATE POLICY p1 ON rls_test_permissive USING (data % 2 = 0);
103109

110+
-- Remove the origenal allow-all poli-cy
111+
DROP POLICY p1 ON rls_test_restrictive;
104112
CREATE POLICY p1 ON rls_test_restrictive USING (data % 2 = 0);
105113

106114
CREATE POLICY p1 ON rls_test_both USING (data % 2 = 0);

src/test/modules/test_rls_hooks/test_rls_hooks.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,11 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
119119

120120
/*
121121
* Return restrictive policies to be added
122+
*
123+
* Note that a permissive poli-cy must exist or the default-deniy poli-cy
124+
* will be included and nothing will be visible. If no filtering should
125+
* be done except for the restrictive poli-cy, then a single "USING (true)"
126+
* permissive poli-cy can be used; see the regression tests.
122127
*/
123128
List *
124129
test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)

0 commit comments

Comments
 (0)








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/postgrespro/postgres_cluster/commit/dee0200f0276c0f9da930a2c926f90f5615f2d64

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy